ERP5Form : solve security issues with dymanic dialog Folder_viewSearchDialog
With a non manager user, the dialog was raising an UnauthorizedError when accessing form properties like id or update_action. With verbose security we had : Unauthorized: Your user account does not have the required permission. Access to 'update_action' of (ERP5Form at /erp5/person_module/Folder_viewSearchDialog) denied. Your user account, [some account], exists at /erp5/acl_users. Access requires one of the following roles: ['Assignee', 'Assignor', 'Associate', 'Auditor', 'Author', 'Manager']. Your roles in this context are ['Authenticated', 'Member']. By looking further, this regression started with the introduction of erp5_hal_json_style bt which install ERP5 Form portal type with "Acquire Local Roles" unchecked. By looking also at aquisition chains of usual Form : (Pdb) self.person_module.PersonModule_viewPersonList.aq_chain [<ERP5 Form at /erp5/PersonModule_viewPersonList used for /erp5/person_module>, <Person Module at /erp5/person_module>, <ERP5Site at /erp5>, <Application at >, <ZPublisher.BaseRequest.RequestContainer object at 0x7f76305cae90>] And at the one of Folder_viewSearchDialog: (Pdb) self.person_module.Folder_viewSearchDialog().aq_chain [<ERP5Form at /erp5/person_module/Folder_viewSearchDialog>, <Person Module at /erp5/person_module>, <ERP5Site at /erp5>, <Application at >, <ZPublisher.BaseRequest.RequestContainer object at 0x7f05f0751850>] It seems fixing the acquisition chain is better option than allowing to Acquire Local Roles on all forms. We now have following chain for this dialog: After this patch, we have : (Pdb) self.person_module.Folder_viewSearchDialog().aq_chain [<ERP5Form at /erp5/Folder_viewSearchDialog used for /erp5/person_module>, <Person Module at /erp5/person_module>, <ERP5Site at /erp5>, <Application at >, <ZPublisher.BaseRequest.RequestContainer object at 0x7f76305cae90>]
Showing
Please register or sign in to comment